Windows Defender - June 2019 Report

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
What I have seen from the WD log is like salmonella disease when the immune system (local AV protection) tries to protect the body but in the end, the patient has to get help from health service (AV Cloud). After the treatment, the patient is still not perfectly healthy and can have some side effects (malware leftovers).
But, this model is probably the best available so far, because it was made either by God or (biological and social) Evolution.:emoji_ok_hand:
It can be also hardened by applying a kind of healthy prophylactic (OSA, SysHardener) or prophylactic + healthy diet (H_C).:giggle:

Edit.
It is also probable that WD default health service is similar to that in a small village, far into the country.:( (joke, it is not as bad):giggle:
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
A bit off topic but post like these made by @Andy Ful and the tests of @Evjl's Rain make me wonder about WD in my config again... Thanks guys :unsure:
That is the trouble with forums like this one :D
We are talking here about malware you will never see running on your computer. Most of the samples have a very very low prevalence. If you have doubts, then simply apply H_C Recommended settings.(y):giggle:
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
I analyzed all missed samples with WD MAX settings and all of them (except one) were scripts, so they could be easily blocked by adding SysHardener (tweaked), OSArmor or H_C ('Allow EXE" or Recommended setup). The one missed EXE file was mitigated by WD and disappeared after reboot. Furthermore, in the real world scenario, it would be blocked by SmartScreen or prevented by blocked scripts and MS Office hardening.

When using WD HIGH or MAX settings with SysHardener, OSA or H_C ("Allow EXE" setup) the user who wants to apply extraordinary protection should only remember:
  1. Run executables directly from the USB drive or upload files from USB drive to OneDrive. Copying files directly from USB drive to hard drive and running them is not safe.
  2. Use BandZip to access files in archives.
 

Gandalf_The_Grey

Level 76
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,505
I analyzed all missed samples with WD MAX settings and all of them (except one) were scripts, so they could be easily blocked by adding SysHardener (tweaked), OSArmor or H_C ('Allow EXE" or Recommended setup). The one missed EXE file was mitigated by WD and disappeared after reboot. Furthermore, in the real world scenario, it would be blocked by SmartScreen or prevented by blocked scripts and MS Office hardening.

When using WD HIGH or MAX settings with SysHardener, OSA or H_C ("Allow EXE" setup) the user who wants to apply extraordinary protection should only remember:
  1. Run executables directly from the USB drive or upload files from USB drive to OneDrive. Copying files directly from USB drive to hard drive and running them is not safe.
  2. Use BandZip to access files in archives.
In real life people/relatives will not follow rule 1. Any other solutions or ideas for this "problem" ?
Rule 2 is great advice and easy to do on pc's of family, relatives and friends. (y)
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
In real life people/relatives will not follow rule 1. Any other solutions or ideas for this "problem" ?
Rule 2 is great advice and easy to do on pc's of family, relatives and friends. (y)
Yes. You know already one solution. (y)
Anyway, do they need such extraordinary protection? Who shares the never seen malware via USB drive? Is it you (joke)?:giggle:

Edit.
If one wants to keep WD and Windows native security, then the only solution I know is H_C.
Other good solutions without WD (less compatible with Windows) are well known on MT.
 
Last edited:

blackice

Level 38
Verified
Top Poster
Well-known
Apr 1, 2019
2,730
I analyzed all missed samples with WD MAX settings and all of them (except one) were scripts, so they could be easily blocked by adding SysHardener (tweaked), OSArmor or H_C ('Allow EXE" or Recommended setup). The one missed EXE file was mitigated by WD and disappeared after reboot. Furthermore, in the real world scenario, it would be blocked by SmartScreen or prevented by blocked scripts and MS Office hardening.

When using WD HIGH or MAX settings with SysHardener, OSA or H_C ("Allow EXE" setup) the user who wants to apply extraordinary protection should only remember:
  1. Run executables directly from the USB drive or upload files from USB drive to OneDrive. Copying files directly from USB drive to hard drive and running them is not safe.
  2. Use BandZip to access files in archives.

Just to clarify, are BandZip and BandiZip different programs? I’ve seen different spellings and am not sure if they are different software, or just variations in spelling.
 

Gandalf_The_Grey

Level 76
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,505
Yes. You know already one solution. (y)
Anyway, do they need such extraordinary protection? Who shares the never seen malware via USB drive? Is it you (joke)?:giggle:
No, I don't share anything with anybody :D
I was just thinking of my kids working on school projects with classmates and sharing USB drives.
In your most valued opinion HC at recommended settings and WD at high settings is enough protection for that?
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
No, I don't share anything with anybody :D
I was just thinking of my kids working on school projects with classmates and sharing USB drives.
In your most valued opinion HC at recommended settings and WD at high settings is enough protection for that?
Yes, If they do not disable the protection.:emoji_pray:
If the child uses SUA and do not know the Admin password, then disabling the protection is not possible. To avoid bypassing SmartScreen, you can set SmartScreen to Block in ConfigureDefender.
 
Last edited:

MalwareTypes

Level 1
Verified
Nov 7, 2014
27
BAFS can recognize malware in ZIP archives (from Internet Zone) and probably in most known archive types too. But, as @Evjl's Rain already mentioned, this does not apply for password-protected archives.(y)
Windows natively only recognizes ZIP archives from the bunch of archive types that exist. So I would venture to guess that BAFS can see only what Windows can see, ie ZIP archives.
ISO files are a special case: Windows mounts them, not really opens them, so not really sure how the "Mark of the web" inheritance is managed in that case.
Either way, BandiZip is a great choice.
 

Evjl's Rain

Level 47
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Apr 18, 2016
3,684
No, I don't share anything with anybody :D
I was just thinking of my kids working on school projects with classmates and sharing USB drives.
In your most valued opinion HC at recommended settings and WD at high settings is enough protection for that?
according to what I saw, I believe WD on high settings is not really better than itself in default settings against exe malwares
high setting is definitely better against exploits or scripts, which some exe malwares can utilize
however for pure exe malwares, they are quite similar in both (ignore BAFS)
I also tried to test WD high in offline condition. It did trigger behavior blocker (few times) but still super weak compared to third-party AVs

most WD users are infected by password-protected archives !!! (in my country)
USB-delivered malwares are virtually never zero-day -> not really a problem
when malwares are from USB we should consider that the users also use their AVs in offline mode (otherwise they may download it from browsers)
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
according to what I saw, I believe WD on high settings is not really better than itself in default settings against exe malwares
...
I am afraid that this statement cannot be concluded from your tests. This would require a different kind of test.
It can be done by using the WD Demo webpage:
  1. Set WD to DEFAULT Protection Level by using ConfigureDefender and reboot the computer.
  2. Use Edge (native not Chromium) to prepare 20 samples from WD Demo webpage which bypassed BAFS. Do not run the samples from the hard disk. On my computer, I had to create about 40 demo samples, because about half of them were detected and removed from disk by BAFS.
  3. Set WD Cloud Protection Level to High by using ConfigureDefender and reboot the computer. Check that the Internet connection has been established.
  4. Open the folder with samples (do not run them), many samples should be quarantined.
That was a result on my computer, which strongly suggests that HIGH settings are also much stronger for EXE files than DEFAULT settings.
This test cannot be done with ShadowDefender in Shadow mode on boot, because WD settings would be restored to DEFAULT settings after reboot.

Unfortunately, it may be not easy to repeat the similar test on the real samples, because it is not easy to separate the samples blocked by BAFS from the samples blocked by other Cloud AI features or signatures. Furthermore, Cloud detection can be different when the same samples are run at different moments of time (Cloud AI can learn).(y)
 
Last edited:

Evjl's Rain

Level 47
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Apr 18, 2016
3,684
I am afraid that this statement cannot be concluded from your tests. This would require a different kind of test.
It can be done by using the WD Demo webpage:
  1. Set WD to DEFAULT Protection Level by using ConfigureDefender and reboot the computer.
  2. Use Edge (native not Chromium) to prepare 20 samples from WD Demo webpage which bypassed BAFS. Do not run the samples from the hard disk. On my computer, I had to create about 40 demo samples, because about half of them were detected and removed from disk by BAFS.
  3. Set WD Cloud Protection Level to High by using ConfigureDefender and reboot the computer. Check that the Internet connection has been established.
  4. Open the folder with samples (do not run them), many samples should be quarantined.
That was a result on my computer, which strongly suggests that HIGH settings are also much stronger for EXE files than DEFAULT settings.
This test cannot be done with ShadowDefender in Shadow mode on boot, because WD settings would be restored to DEFAULT settings after reboot.

Unfortunately, it may be not easy to repeat the similar test on the real samples, because it is not easy to separate the samples blocked by BAFS from the samples blocked by other Cloud AI features or signatures. Furthermore, Cloud detection can be different when the same samples are run at different moments of time (Cloud AI can learn).(y)
testing with WD demo samples don't tell anything because they are not malwares, same for eicar/amtso
they are just a test to see if something is working properly or not but don't differ which is more effective
high setting is better than default setting, that's obvious but how much better is the question to find out

the problem is when comparing High or Default settings to BAFS, that's a very very far distance because BAFS is very aggressive and much more prone to FPs than the others. If all malwares can be checked with BAFS, it's ideal
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
testing with WD demo samples don't tell anything because they are not malwares, same for eicar/amtso
they are just a test to see if something is working properly or not but don't differ which is more effective
high setting is better than default setting, that's obvious but how much better is the question to find out

the problem is when comparing High or Default settings to BAFS, that's a very very far distance because BAFS is very aggressive and much more prone to FPs than the others. If all malwares can be checked with BAFS, it's ideal
That is true. Demo samples can show one thing, and the real samples can show a different picture. It is much harder (and time-consuming) to test this on the real samples. But anyway, another type of test would be required. First, the samples should be tested on DEFAULT setup. Next, the test should be repeated on the same system as before testing the DEFAULT setup, but with changed Cloud Protection Level from Default to High (this is not HIGH or MAX setup). Probably, more than one tests should be done to get the right picture.
 
Last edited:
F

ForgottenSeer 72227

according to what I saw, I believe WD on high settings is not really better than itself in default settings against exe malwares

I know this is in relation to WD specifically, but would you say that Smartscreen improves on this, especially if it's set to block? Assuming that the file keeps the MOTW, smartscreen seems to be pretty aggressive from what I've seen. I guess this is where run by smartscreen may help?
 

Evjl's Rain

Level 47
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Apr 18, 2016
3,684
I know this is in relation to WD specifically, but would you say that Smartscreen improves on this, especially if it's set to block? Assuming that the file keeps the MOTW, smartscreen seems to be pretty aggressive from what I've seen. I guess this is where run by smartscreen may help?
smartscreen + syshardener/H_C blocks everything, almost. No need any AV :D in theory
smartscreen, a reputation checker, is works like everything is guilty until something is proven innocent
SmartScreen filtering at the desktop level, performing reputation checks by default on any file or application downloaded from the Internet, was introduced in Windows 8.[9][10] Similar to the way SmartScreen works in Internet Explorer 9, if the program does not have an established good reputation, the user is alerted that running the program may harm their computer.

Checking downloaded files against a list of files that are well known and downloaded by many Windows users. If the file isn't on that list, SmartScreen shows a warning, advising caution.
 
F

ForgottenSeer 72227

smartscreen + syshardener/H_C blocks everything, almost. No need any AV :D
smartscreen, a reputation checker, is works like everything is guilty until something is proven innocent
Hehe fair enough!

I guess maybe it would be fair to say that if one is using WD on W10, it's better to consider all the security options/features within the OS to compliment one another, kinda of how a 3rd part suite works. Even though something like Smartscreen will work with 3rd party products as well, it's just more important with WD, as the OS as a whole is designed like a suite in a way, as all the features work together. ;) Like you said supplement that with Syshardener, H_C, etc... and you'll probably be covered quite well!
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
smartscreen + syshardener/H_C blocks everything, almost. No need any AV :D in theory
smartscreen, a reputation checker, is works like everything is guilty until something is proven innocent
I would say (I know that you know it):giggle::
"RunBySmartScreen + SysHardener" / H_C blocks everything, almost.
SmartScreen + SysHardener (without RunBySmartScreen) does not use forced SmartScreen so it will fail for some EXE samples delivered without MOTW, which will be blocked by H_C.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top